15-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
• Passing Traffic Not Allowed in Routed Mode, page 15-8
• MAC Address Lookups, page 15-9
• Using the Transparent Firewall in Your Network, page 15-9
• Transparent Firewall Guidelines, page 15-9
• Unsupported Features in Transparent Mode, page 15-10
• How Data Moves Through the Transparent Firewall, page 15-11
Transparent Firewall Network
The security appliance connects the same network on its inside and outside ports. Because the firewall
is not a routed hop, you can easily introduce a transparent firewall into an existing network; IP
readdressing is unnecessary.
Allowing Layer 3 Traffic
Even though transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through
the security appliance unless you explicitly permit it with an extended access list. The only traffic
allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be
controlled by ARP inspection.
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in
an access list. The transparent firewall, however, can allow any traffic through using either an extended
access list (for IP traffic) or an EtherType access list (for non-IP traffic). The following destination MAC
addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.
• TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
• IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
• IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
• BPDU multicast address equal to 0100.0CCC.CCCD
• Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
Note The transparent mode security appliance does not pass CDP packets.
For example, you can establish routing protocol adjacencies through a transparent firewall; you can
allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols
like HSRP or VRRP can pass through the security appliance.
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using
an EtherType access list.
For features that are not directly supported on the transparent firewall, you can allow traffic to pass
through so that upstream and downstream routers can support the functionality. For example, by using
an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or
multicast traffic such as that created by IP/TV.
To Next Page
Loading...
Need help?
General